Linus Torvalds
Kana munhu anorwisa akawana kodhi kuuraya nekodzero dzemidzi, anogona kuita kodhi yake padanho re kernel, semuenzaniso, nekutsiva kernel uchishandisa kexec kana kuverenga / kunyora ndangariro kuburikidza ne /dev/kmem. Mhedzisiro yakanyatsojeka yebasa rakadaro inogona kuva
Pakutanga, mabasa ekudzivirira midzi akagadziridzwa mumamiriro ekusimbisa kuchengetedzwa kwebhoti yakasimbiswa, uye kugovera kwave kushandisa yechitatu-bato zvigamba kuvharira kupfuura yeUEFI Yakachengeteka Boot kwenguva yakati rebei. Panguva imwecheteyo, zvirambidzo zvakadaro hazvina kubatanidzwa mukuumbwa kukuru kwe kernel nekuda kwe
Lockdown mode inorambidza kupinda ku/dev/mem,/dev/kmem,/dev/port,/proc/kcore, debugfs, kprobes debug mode, mmiotrace, tracefs, BPF, PCMCIA CIS (Kadhi Ruzivo Rwakaita Kadhi), mamwe maACPI interfaces uye CPU. Marejista eMSR, kexec_file uye kexec_load mafoni akavharwa, modhi yekurara inorambidzwa, DMA kushandiswa kwePCI zvishandiso kunogumira, ACPI kodhi yekupinda kubva kuEFI zvinosiyana inorambidzwa,
Manipulations ane I/O ports haatenderwi, kusanganisira kuchinja nhamba yekukanganisa uye I/O port yeserial port.
Nekumisikidza, iyo yekuvhara module haisi kushanda, inovakwa kana iyo SECURITY_LOCKDOWN_LSM sarudzo yatsanangurwa mu kconfig uye inoshandiswa kuburikidza ne kernel parameter "lockdown =", iyo yekudzora faira "/ sys/kernel / chengetedzo / kukiya" kana sarudzo dzegungano.
Izvo zvakakosha kuti uzive kuti kuvharika kunongoganhura kusvika kwakajairwa kune kernel, asi hakudzivirire kubva pakugadziridzwa nekuda kwekushandiswa kwekusagadzikana. Kuvharisa shanduko kune inomhanya kernel kana maexploit achishandiswa neOpenwall purojekiti
Source: opennet.ru